About this blog

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.

Search Deloitte Insights

Related Deloitte Insights

Enterprise quests for greater efficiency and competitive advantage through IT will drive significant tech sector growth in 2015 and beyond, says Paul Sallomi, vice chairman and U.S. Technology leader, Deloitte Tax LLP. Mr. Sallomi points to the Internet of Things and digital disruption as major trends that will create new tech sector opportunities this year and explains why being a large technology conglomerate could become a competitive disadvantage in the sector.

To defend against expanding threats, cyber security should become like the human immune system, isolating and attacking intruders even before knowing their identity or source. This could allow teams to apply cyber forensics in a controlled environment where business risk has already been contained.

The increasing ubiquity of mobile technologies suggests opportunities for financial services companies to cultivate deeper customer engagement and boost brand loyalty. However, while many financial services organizations have been relatively quick to jump on the mobile bandwagon, the industry still has a long way to go in capturing the full potential of this rapidly evolving technology, according to a new report from Deloitte.

Deloitte Views & Analysis

Risk modeling has been prevalent for years in certain industries in which taking calculated risk is integral to the business, such as financial services and energy. Wider availability of data and sophisticated analysis capabilities is making modeling more practical; at the same time, the need to cope with an increasingly risky environment is making it more valued. Dr. Patchin Curtis, leader of Deloitte’s Center for Risk Modeling and Simulation, discusses how risk modeling can be made an integral part of enterprise risk management.

With reputation risks gaining increasing attention, companies plan to address reputation risk by investing in technology, such as analytical and brand monitoring tools, to help strengthen their risk-sensing capabilities, according to the “2014 Reputation@Risk” survey of more than 300 executives, conducted by Forbes Insights on behalf of Deloitte Touche Tohmatsu Limited. They also plan to invest in data, including traditional media/negative mention monitoring, social media data, surveying and other data sources.

Concerns are being raised over big data’s impact on privacy. There are fears that fundamental protections are now challenged by the sheer velocity, veracity and volume of data and how it can be manipulated. The traditional idea of a trade-off between privacy and innovation is giving way to a broader use of analytics, which can protect personal privacy while driving strategic goals.

Managing Risks and Other Concerns When Moving to the Cloud

As many companies move some (or most) of their data to the cloud, their executives have to grapple with the decision of what data to move and when to move that data. They have to weigh the relative benefits and costs of moving to the cloud. They also have to consider specific risks such as security and application risks, process complexity and the degree of customization required.

Different industries and organizations will likely have varying propensities to put their data in the cloud. While information technology investments generally require a business case, the organizations that have a high propensity for using cloud computing technology will likely need to make a different business case not to use cloud. In other words, decision-makers may have to selectively discourage on-premises information technology investments.

Cloud computing technology and software as a service (SaaS) applications can become a welcoming platform for innovation and the strategic use of technology for driving business value. Yet, executives, particularly CIOs and CFOs, will face a number of important decisions around what to place into the cloud, how to structure the relationship with the cloud service provider and how to manage risks while operating in a cloud computing environment. They also will need to identify potential deal breakers and enablers they should consider in this migration.

Identify Business Objectives and Use of Technology to Meet Objectives

There is an interrelationship between business objectives, information and technology. Organizations often find that defining business objectives and gathering the needed information to address those business objectives is only part of the solution. The organization should also make effective use of technology. It is a symbiotic relationship; technology should be used in accordance with the businesses objectives, but the business objectives should be informed by the technology.

Imagine an organization that would like to engage in a more robust customer relationship management (CRM) initiative. The current on-premises system is over 10 years old and most of the time is spent just keeping the on-premises system running. The current IT staff do not have sufficient additional time to add new features to the system, and the current hardware environment does not have much additional capacity. This is a time in which current technological alternatives in the form of cloud computing can inform the business objective of improving the CRM environment. Rather than needing additional hardware, time to write new code and perhaps the need to hire additional IT staff, the organization can use a cloud-based CRM environment. There is no extra cost for computers nor staff; rather the service is purchased. However, there are multiple issues that should be examined before an organization embarks on such an endeavor.

In a cloud computing environment, the organization obtains a service that might be cost prohibitive had that organization developed that service on its own. However, when examining the total cost of ownership (TCO) for a cloud service, the CFO and CIO should include consideration for increased risk, compliance and governance costs.

A SaaS or cloud application will likely provide new capabilities and agility for the organization at a lower price point than could be accomplished internally, but the TCO should include consideration for risk monitoring and compliance costs. Increases in capacity and flexibility usually come at a cost requiring new trade-offs between cost/flexibility/capacity and relative risk. If there is too much risk (e.g., potential for exposure of confidential data), the organization will likely not want to avail itself to the technology. Alternatively, if the benefits exceed the potential risks, the organization will likely want to use the new technology. The “risk appetite” of the organization may also differentiate the organization that uses these resources. Two virtually identical firms, when faced with the same choice, may choose different outcomes because one firm has a more conservative risk profile while the other has a more aggressive risk profile. Both firms have made valid decisions based upon their respective risk tolerances.

How Can Cloud Computing Help Reshape Business Objectives?

As organizations consider cloud computing technology to meet their business objectives, there is an opportunity to redefine or advance objectives given the capabilities of cloud computing.

Some CIOs have identified cloud computing as a platform that elevates the value that information technology brings to the organization. Through the relative ease of creating new applications, and the ability for functional business employees to request or even create SaaS applications that help them meet their business objectives, cloud computing has strengthened the culture and functional ownership of how technology can further enable meeting business objectives. While introducing new technology can present risks to the organization, there is also a (potentially greater) possible risk of not allowing the technology that employees and functional leaders recognize will likely help them be effective. The organization risks being left behind from a technology perspective as well as an employee engagement and business capability perspective.

Is There Data That Is Too Sensitive for the Cloud?

CFOs and CIOs have indicated varying levels of sensitivity to having their information in the cloud, or off-premises, rather than on-premises. Regulatory and industry considerations such as those found in health care and financial services become prevalent in the data location decision-making. For other considerations, such as those stemming from the fear of others accessing content, an evaluation of the content by purpose can help clarify the decision about what data, if any, to move to the cloud. Whether using a value chain approach or other means to identify the purpose of data in the organization, CFOs’ and CIOs’ awareness of cloud computing capabilities can help them make informed decisions. (See CFOs and CIOs: How can you mitigate concerns when moving to the cloud?for a cloud computing service provider capability map.)

As CFOs and CIOs consider which data or applications should be placed into the cloud, they should determine if there are any “deal breakers.” It is likely that these deal breakers result from data characteristics, application characteristics and contract terms.

Are there any sensitive data that should not be placed into the cloud (at this time)? For example, should social security, bank account information, PCI data, HIPPA data, etc. be placed in the cloud? What legal restrictions exist across different countries in which you engage in commerce? Do any countries (or states) have restrictions upon the location in which cloud data are stored? Any of these items could be deal breakers that prevent the use of cloud resources.

Are there any applications that provide competitive advantage (which would be lost) if a “generic” version of that application was provided in the cloud? While there is certainly the allure of using cloud applications for many tasks (e.g., customer relationship management) consideration should be given to how those cloud applications would interface with on-premise applications that are a source of competitive advantage.

Are the terms of service associated with the cloud provider unacceptable? Click-through contracts are generally not acceptable to business organizations. Regardless, the contract should be carefully reviewed. A recent article has quoted terms from vendors that include “The SaaS vendor can suspend your right and license to use services, or terminate the agreement in its entirety for any reason or no reason, at its discretion at any time, with, at most, 60 days’ notice.” Or, with respect to indemnification “Your company must indemnify the SaaS provider from all claims relating to your use of the vendor’s services, with no limits on liability.” (Computerworld February 13 2012, “Big SaaS Done Right,” Robert L. Mitchell).

In addition to the above risks, there are other risk factors that should be considered when evaluating SaaS alternatives, including: privacy and security, legal issues/location of data, exiting a contract with cloud vendor, support, control, go

vernance, type of expense/usage monitoring and contingency, including system failure, vendor acquired and vendor ceases

See the chart: “What are risk considerations while managing acquisition of software as a service”? in CFOs and CIOs: How can you mitigate concerns when moving to the cloud?for a breakdown of potential risks of on-premise computing and those of cloud computing. The risk considerations while acquiring and managing the transition to cloud computing have operator implications to manage the availability and use of data.

What Cloud Service Contract Attributes Deserve Extra Attention?

Contract, governance and contingency considerations have steward implications to help protect and preserve the assets of the organization.

Much like entering any service provider contract, cloud service purchasers should consider the provider’s incentives and governance in place for their cloud service provider. Among many contract considerations, there are three contract areas for cloud service purchasers to consider when evaluating cloud service providers.

Evaluation Period: Does the cloud service provider offer an evaluation period to “try out” and test the service? What evidence can the cloud service vendor provide to validate services?

Monitoring Usage/Dynamic Provisioning: What mechanisms does the cloud purchaser have to govern usage and potentially change the number of billable users or seats based on usage? How will expense management work and who will be accountable for the use of technology resources (i.e., will it be functional business leads, IT functional leads)?

Contingencies: In a potential system failure, what back-up plans exist and who manages the back-up plans? If the cloud service vendor ceases operations, what will be the process for operationalizing information hosted by the cloud service provider?

Navigating the Clouds with Altimeters and Instruments

The decisions that CFOs and CIOs make on the company computing environment is as much an operating decision as it is a strategic decision. With the acceptance of cloud computing becoming more prevalent, and in many industries becoming the defacto computing environment, decision-makers should consider how cloud computing can transform their organization and redefine the strategic use of information technology. Fundamentally, with cloud technology capabilities and controls strengthening and the availability of such technology, there is a risk of not moving to cloud from a competitive perspective and from an employee support perspective. Technology enables the movement of data, decision-making, and is the foundation of information and operations; not having what may be the most effective technology for getting the job done could leave some organizations behind.